Librem 14's ME disabled but not neutralized

where did you get this “information” from? A system with the ME disabled via the HAP bit cannot be re-enabled arbitrarily – it would require re-flashing the firmware. The same re-flash could restore a neutralized ME to a working one. Plus, there are additional protections done to prevent access to the ME from a booted system, such as disabling the PCI/HECI interface.


I could be wrong but maybe AMT only works over a built-in GbE controller anyway. So traditional Purism laptops, having no GbE at all, were less likely to be vulnerable to remote control exploits via AMT. (That’s not to say that it would be impossible for the ME to support AMT over some random ethernet controller or even over WiFi but the ME code doesn’t write itself and magically load itself into your computer, and there would be additional challenges.)

As far as I know, none of the Purism laptop CPUs, up to and including the Librem 14, officially have AMT support at all. So it would require a certain amount of misinformation from Intel (which, yes, could be part of some grand conspiracy :wink:).

Perhaps, as of some future Intel CPU, AMT will become mandatory and unavoidable … and it will be time to move away from Intel - for this and other reasons.

Going with Dell means you’ll never get ME neutralized.

Going with Purism likely means it’s only a matter of time before it is neutralized (not to mention all the other bits @craftkiller called out above).

1 Like

AMT only works with a built-in Intel-made GbE or Wifi. A Realtek GbE or Atheros Wifi like Purism uses wouldn’t be able to be utilized even if AMT were present/active (which it most certainly is not)


Hi Kyle, thanks for your explanation. I’m kinda new to this ME topic, and was wondering if it’s possible to neutralize it afterwards - once purism found out how?

He answered this in another thread: New Post: Librem 14 Update: Freed EC, Shipping Beginning in March

“When we accomplish that [neutralising ME] existing owners would just reflash their boot firmware (coreboot or PureBoot), which contains the ME code as part of it. In terms of the risk analysis, I talk about that a bit in a different thread .”

I think there is a risk of “bricking” your computer while doing so. This is why, personally, as a Unknowledgeable linux user, I’m juggling with the idea of waiting a bit before ordering it, giving time to purism to find a way to neutralize it themselve.

According to the need and interest in having it disabled and neutralized, I’m guessing it should be high priority in their “to do” list.

1 Like

I understand… thanks.
Good thing you’re waiting.
I already ordered, in September. I need it for my work but I also need it to be as secure as possible. Now I regret I bought the librem 14 instead of 15…

With uniform hardware, the risk of bricking devices during firmware updates is fairly minor. It mostly comes down to don’t power fail the device. Given that the laptops have an internal battery: make sure they are plugged into the wall and fully charged and you should be fine. Well, and don’t do it if the Earth is encountering a coronal mass ejection event, but those are fairly rare.

In the event that updating fails, the firmware chip is accessible, and can be reprogrammed by a chip programmer without desoldering it. You can likely do it yourself, if you have or can build (raspberry pi / arduino, maybe with a level shifter) a chip programmer. In the worst case, purism could reflash it for you (with the major downside of waiting on shipping and their turnaround time).


Yeah, the real risk of bricking comes when you are playing around with creating your own version of the firmware, or using firmware from untrusted sources.

1 Like

The other risk is applying the firmware for one model/version to another model/version. I think the firmware upgrade script tries to stop you doing that but …

Actually, the EC is the priority… better to have rgb than neutralization. I’m not happy with that since that’s not my priority nor the reason why i decided to buy a librem instead of other brand… security is my number one priority and rgb is completely accessories.

What about Librem Mini v1 (with Intel Core i7-8565U CPU) - it has disabled and neutralized or just disabled Intel ME?

Also, maybe will be safer to use AMD Ryzen processors instead of Intel processors? Or AMD processors also have backdoors?

AMD systems have a similar thing to the ME, it’s called the PSP. It’s worse than the ME in a way because we know almost nothing about what it does, at least with the ME we have some understanding of it.

Not quite true, in the last couple of years there was quite detailed dissection of psp. The problem with psp is just that it’s fully signed so you cannot tamper with it (eg neutralize) as it would change signature. But you can still read it for offline analysis and tamper with runtime.


just disabled

1 Like

Okey’s who’s gonna bet with me, that I recieve one ping packet, and that management engine from intel is going to rebounce to main loop again?

Network card is from intel? How do you want to disable it?

Abandon intel developement while it’s time, and go workstation AMD processors.
Or ARM based notebook.

Since you can’t disable it and you can’t trust it … you don’t connect it i.e. no network cable connected to the wired network usable via the humunculus CPU (aka the Intel ME), or indeed not even connected internally. Not much is exfiltrated via ethernet when it’s not connected. (Probably different on the L14 c.f. the L13 and L15 but the idea is the same.)

The built-in WiFi in more recent Intel CPUs is more of a worry, albeit not quite a 100% problem yet.

Abandon x86. At the current time, neither of them allows you to build a fully satisfactory computer.


abandon SHIP !!! what ? abandon x86 ? what madness is this ?

I just got a mini desktop ( not a NUC ) with an AMD Ryzen 5 cpu and 16gb ram. What qualifies as a fully satisfactory computer?